Software Composition Analysis

To apply for this service, you will need:

✅ Your application or service listed in the GÉANT Software Catalogue – to help us identify and support your project.

📂 A code repository (e.g. GitLab or GitHub) – to access and analyse your codebase.

👨‍💻 A development team ready for collaboration – to support the setup and ensure analysis results are relevant and actionable.

The Software Composition Analysis service supports your team in detecting and managing risks in third-party libraries. The service includes:

🔧 Tool Setup and Configuration: We help you set up the SCA tool (Mend), configure it for your repository and prepare it for accurate scanning of third-party dependencies.

📑 Software Composition and Risk Reports: The tool produces reports listing third-party libraries, their licences and flags potential security issues. These are reviewed and shared with your team for action.

👨‍🏫 Expert Interpretation: We guide you through the analysis results, explain key findings and help assess the impact. Where needed, we provide follow-up support and coordinate potential subsequent Software Licence Analysis (SLA) for more detailed reviews.

Our goal is to help you manage the risks of using third-party code, stay compliant with licensing obligations and maintain secure software practices.

🔍 One-Time Setup
We run a snapshot analysis of your software’s third-party components and generate a report detailing library usage, detected licences and known vulnerabilities. This helps you understand your project’s external dependencies at a specific point in time.

🔄 Continuous Integration Setup
assist in integrating the SCA tool into your continuous integration (CI) pipeline (e.g. GitLab, Bamboo, Jenkins), enabling continuous monitoring and automated alerts for new third-party components or risks so your team can address issues proactively.

To get started, email us at sw-licences@software.geant.org, post in #sw-licences on the GÉANT Project Slack or submit a Software Review Request via the Help Desk.

Benefits of the service include:

🔹 Visibility into Third-Party Code: Provides a clear view of all third-party libraries in your project, helping you track and manage external components.

🔹Risk Detection and Reporting: Identifies known security vulnerabilities and licence risks in your dependencies using the up-to-date licences and vulnerability database.

🔹Integration with Development Workflow: Continuous Integration Setup embeds the SCA tool into your CI/CD process, enabling real-time feedback and reducing delays in risk detection.

🔹Support for Licence Compliance: Acts as a prerequisite for SLA by ensuring third-party dependencies are known, documented and ready for a thorough review.

• Do we need technical expertise to use the SCA tool?
  No, we handle the setup, run the analysis and help interpret the results.
• Is this service only for large projects?
  No, it is suitable for projects of any size.
• Can the SCA tool be integrated with my current CI/CD platform?
  Yes, it supports GitLab, Bamboo, Jenkins and other platforms.
• How often should we request an SCA analysis?
  For dynamic projects with evolving technical platforms, regular scans are recommended. For stable or pilot projects, a one-time scan may be sufficient; it can be repeated as needed.
• What vulnerabilities does the SCA tool detect?
  It detects known vulnerabilities in third-party libraries based on an up-to-date vulnerability database.
• What happens if a problematic licence is found?
  We provide guidance on how to resolve the issue including choosing alternatives or adjustments in usage.
• What if we need help understanding the results?
  Reach out to the licensing team. We keep your request open until you fully understand the results and can provide a follow-up session if needed.